External references and resources
In addition to the references spread in the chapters - most often as “Further reading” - here is an extended list of hacking and security resources.
It is important that you rate those resources for yourself. I have my personal categories.
- ALERT: Resources being fast on alerting. But I do not expect in depth coverage
- DEEP: Slow (months after the incident) but incredibly deep coverage
- SIMPLE: Resources to share with non-tech people
- KNOWLEDGE: General knowledge covering specific technology. Not a source for threat intelligence
All of them have their benefits and you should always use the proper source for the task at hand.
Books
Book: Practical Internet of Things Security
Practical Internet of Things Security by Drew Van Duren, Brian Russell
A very methodical book covering
- Threat modelling
- Design
- Life cycle
- Basic Cryptography
- Authentication/Authorization
- Compliance monitoring
- IoT Incidence Response
A good overview.
Potential improvement: Go deeper into details and specific technology. For example: Crypto chapter is a good start but really using crypto will require more books to be read. Says the one writing a “security overview book”…I know….
Book: “Test driven development for embedded C”
Test Driven Development for Embedded C by James W. Grenning
A pragmatic and step-by-step approach how to develop for embedded systems in C and still benefit from unit tests.
This book will improve your software quality and security.
The Browser Hacker’s Handbook
The Browser Hacker’s Handbook by Michele Orru , Christian Frichot , Wade Alcorn. Essential knowledge how to hack and secure a browser. Lots of focus on Beef technology.
Book: IoT Penetration Cookbook
IoT Penetration Cookbook by Aaron Guzman, Aditya Gupta
Wide spectrum of offensive technologies. Good to create a checklist what to protect. Be prepared to read more in-depth books for the technologies you are interested in.
Book: Pragmatic Thinking and Learning
Pragmatic Thinking and Learning, by Andy Hunt
Explains your most important tool as a computer expert: Your brain. How to use it, how to learn. A very important book for me. Written for the engineer.
Driving Technical Change
Driving Technical Change, by Terrence Ryan
A book explaining how to introduce new technologies in a team or company. Simple to read but with very essential tricks for the tech guy how to get mental boulders blocking change out of the way.
Anti Patterns
Anti Patterns, Refactoring Software, Architectures, and Projects in Crisis by William H. Brown Raphael C. Malveau, Hays W. “Skip” McCormick III, Thomas J. Mowbray
A book showing typical anti-patterns that just happen in larger (software) projects. Your project will also suffer from some of those. Read this to understand those patterns and learn how to eliminate them.
Conferences
An important criterion for conferences added here is online publication of talks and papers.
When you know where to look you will find lots of awesome conferences with different priorities and a different focus.
CCC
The Chaos Computer Club has several conferences in Germany. Those have different focus and size. If you are interested in computer security, the MRMCD and the Congress are the most valuable ones for you. Talks are recorded and can be found on media.ccc.de
Usenix (scientific security conference)
Usenix is a high tech security and academic conference. Bleeding edge technology but a bit harder to get it into a product than with other conferences.
Hack.lu
Hack.lu is a security conference in Luxembourg. Talks are recorded, but it seems there is no central storage besides YouTube where you can find them.
OWASP
Blackhat
Blackhat is a security conference with events in US, Europa and Asia (so don’t get confused).
Shmoocon 2006 - 2020
Defcon
BSides
[BSides TLV 2021] (https://www.youtube.com/playlist?list=PLkNlAwTF5yEvS0IDS8zRanqUfTWxadcV4)
Radare Con
2020:
- https://github.com/radareorg/r2con2020
Purdue University seminar
Virus Bulletin
Virus Bulletin is an Anti-Virus community magazine, tester and conference.
Especially the conference has in-depth talks covering malware and malware actors. Some of those talks can be found on YouTube.
Blogs
Blogs are a good resource for in-depth malware analysis or content of almost any complexity. I suggest you check out which ones cover topics you are interested in and then start monitoring them for changes.
Security perspective from a bank, check out articles, blogs, handbooks, white-papers: Bank indosecurity
Deep analysis and IOCs: Cylance
Team Cymru blog covers threat intelligence.
Malware must die blog contains malware information
Malware don’t need coffee focuses on Exploit kits and their distribution.
Cyber crime Magazine focuses more on the crime aspect.
Citizen lab - big game hunting
Also Brian Krebs is very well known for his investigations into the crime part of the topic.
To stay in the world of crime: Europol will also cover it. But not focused on computer security.
The Anti Virus companies also have blogs. Sometimes several blogs. With a focus on end-users or tech nerds. Those can vary in depth.
Just to name a few.
News
Hacker news portals:
Podcasts
- Security Now
- The Silver Bullet
- Darknet Diaries
Magazines
Magazines (called Zines) are a part of the hacker culture. And they still exist.
- Pagedout magazine
- POC or GTFO Also available on other mirrors and as books
- Spuz.me pen testing
Videos
Workshops and Training
CTF
Capture the flags (CTF) are challenges to test your own skills in hacking. A good way to do that without committing any crimes.
Background and some help:
There are also CTF competitions: